Interoperability Profile for ZyXEL VFG6005N

Scenario 1: Gateway-to-gateway with preshared secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.

10.5.6.0/24                                            172.23.9.0/24
    |                                                          |
  --|                                                          |--
    |     +-----------+     /-^-^-^-^--\     +-----------+     |
    |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
    |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
  --| 10.5.6.1   14.15.16.17           22.23.24.25  172.23.9.1 |--
    |                                                          |

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

• Main mode
• TripleDES
• SHA-1
• MODP group 2 (1024 bits)
• pre-shared secret of "hr5xb84l6aa9r6"
• SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used in Scenario 1 are:

• TripleDES
• SHA-1
• ESP tunnel mode
• MODP group 2 (1024 bits)
• Perfect forward secrecy for rekeying
• SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
• Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets

Steps for setting up the VFG6005N as Gateway A

All commands are executed through the web-based GUI. The default values are username admin, password admin, LAN DHCP server enabled.

Define the network address for the network behind Gateway A. In Setup->WAN. In the form:
- verify Ethernet WAN is enabled
- select connection type as static IP
- set the external IP address to 14.15.16.17
- select netmask as 255.255.255.0
- set gateway IP address to 22.23.24.25
- Click the Save Settings button

Define the local addresses for the network behind Gateway A. In Setup->LAN. In the form:
- set the internal IP address to 10.5.6.1
- verify netmask of 255.255.255.0
- Click the Save Settings button

Specify VPN parameters for Gateway A. In Security->VPN/IPsec, click the Add button.. In the form:
- click the IPsec Enable button
- a sequence number for this rule will automatically be added
- enter a connection name
- verify the check to enable this rule
- verify the VPN Mode as Net-to-Net
- verify the local external interface as Ethernet WAN
- select the current local address range 10.5.6.1 from the popup
- set the local subnet mask to 255.255.255.0
- set the remote gateway to 22.23.24.25
- set the remote subnet IP to 172.23.9.1
- verify the remote subnet mask of 255.255.255.0
- if this device is the tunnel initiator, check connection initiation
- verify the IKE key mode is PSK
- enter "hr5xb84l6aa9r6" for the preshared key
- check Advanced Options, then the confirm button to reveal additional needed parameters
- verify the Phase 1 mode as Main
- set the Phase 1 lifetime to 28800
- set the Phase 2 lifetime to 28800
- select the Phase 1 authentication as SHA1
- select the Phase 1 encryption as 3DES
- select the Phase 1 group key management as DH2
- select the Phase 2 authentication as SHA1
- select the Phase 2 encryption as 3DES
- select the Phase 2 group key management for PFS as DH2
- Click the Confirm button, then the Save Settings button

The firewall is enabled by default and will not interfere with pinging the local IP address from across the tunnel.

At present, this version of the device's firmware does not support monitoring, initiating, or terminating tunnels.